fix zizmor findings (#16296)

Author: morganchen12

.github/workflows/_build.yml

@@ -154,7 +154,11 @@ jobs:
           fi
     - name: Run setup command
       if: inputs.setup_command != ''
-      run: ${{ inputs.setup_command }}
+      # This file is used as a template for other workflows, so
+      # using a template include here is necessary; however, this
+      # means downstream consumers must be careful not to accept user
+      # input into their setup_commands.
+      run: ${{ inputs.setup_command }} # zizmor: ignore[template-injection]
     - name: Build
       uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:

.github/workflows/_cocoapods.cron.yml

@@ -94,7 +94,7 @@ jobs:
       if: inputs.setup_command != ''
       env:
         plist_secret: ${{ secrets.plist_secret }}
-      run: ${{ inputs.setup_command }}
+      run: ${{ inputs.setup_command }} # zizmor: ignore[template-injection]
     - name: PodLibLint Cron
       uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:

.github/workflows/_cocoapods.yml

@@ -171,7 +171,7 @@ jobs:
       if: inputs.setup_command != ''
       env:
         plist_secret: ${{ secrets.plist_secret }}
-      run: ${{ inputs.setup_command }}
+      run: ${{ inputs.setup_command }} # zizmor: ignore[template-injection]
     - name: Lint ${{ inputs.product }}.podspec for ${{ matrix.platform }}
       uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       if: contains(inputs.platforms, matrix.platform)

.github/workflows/_quickstart.framework.yml

@@ -91,7 +91,7 @@ jobs:
         mkdir -p "${HOME}"/ios_frameworks/
         find "${GITHUB_WORKSPACE}" -name "Firebase*latest.zip" -exec unzip -d "${HOME}"/ios_frameworks/ {} +
     - name: Setup quickstart
-      run: ${{ inputs.setup_command }}
+      run: ${{ inputs.setup_command }} # zizmor: ignore[template-injection]
     - name: Install Secret GoogleService-Info.plist
       env:
         PLIST_SRC_PATH: ${{ inputs.plist_src_path }}

.github/workflows/_quickstart.yml

@@ -88,7 +88,7 @@ jobs:
         continue_on_error: true
         command: xcodebuild -downloadPlatform iOS
     - name: Run setup command.
-      run: ${{ inputs.setup_command }}
+      run: ${{ inputs.setup_command }} # zizmor: ignore[template-injection]
     - name: Install Secret GoogleService-Info.plist
       env:
         PLIST_SRC_PATH: ${{ inputs.plist_src_path }}

.github/workflows/_spm.yml

@@ -171,7 +171,7 @@ jobs:
         command: xcodebuild -downloadPlatform ${{ matrix.platform }}
     - name: Run setup command, if needed.
       if: inputs.setup_command != ''
-      run: ${{ inputs.setup_command }}
+      run: ${{ inputs.setup_command }} # zizmor: ignore[template-injection]
     - name: Initialize xcodebuild
       run: scripts/setup_spm_tests.sh
     - uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0

.github/workflows/infra.danger.yml

@@ -26,6 +26,10 @@ jobs:
       with:
         app-id: ${{ secrets.DANGER_APP_ID }}
         private-key: ${{ secrets.DANGER_APP_PRIVATE_KEY }}
+        permissions:
+          contents: read
+          issues: write
+          pull-requests: write
 
     - uses: ruby/setup-ruby@89f90524b88a01fe6e0b732220432cc6142926af # v1.313.0
     - name: Setup Bundler

.github/workflows/infra.ftl.nightly.yml

@@ -88,7 +88,7 @@ jobs:
     - name: Xcode
       run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer
     - name: Setup quickstart
-      run: ${{ matrix.setup_command }}
+      run: ${{ matrix.setup_command }} # zizmor: ignore[template-injection]
     - name: Install Secret GoogleService-Info.plist
       run: |
         scripts/decrypt_gha_secret.sh \